Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco’s PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013, when EFF started rating companies on whether they used it. Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google’s Safer email transparency report and starttls.info are good resources for checking whether a particular provider does.
STARTTLS is not a particularly strong, but it does filter out metadata like addresses and subjects.
What was (when discovered, the ISP in question, AIO Wireless, stopped doing this) is all about is an attempt to resell user data, or serve ads to the users.
As the good folks at Golden Frog observe:
Neither the old or the new proposed Internet rules being debated by the FCC would stop wireless providers from blocking encryption technologies. That is very frustrating and one of the key points in our FCC filing. The FCC is a government organization and tasked with protecting national security when it comes to electronic communications. They are part of the same government that surveils its citizens. It’s not unreasonable to think they are getting pressure to curtail encryption.
Furthermore, ISPs have incentive to block privacy technologies like VPNs. They want to profit as much as possible from the way you use the Internet. Privacy services that are independent of their offerings don’t allow them to do that. If they aren’t selling the service to you, they aren’t making money and that frustrates them. However, when they are blocking privacy services, they are dangerously putting businesses’ confidential communications and individual customers’ privacy at risk.
We strongly believe that the same Open Access rules that should apply to wired Internet providers should also apply to mobile Internet providers, especially considering this specific encryption-related incident that affects online privacy.
Unfettered free market capitalism ……… Gotta love it.
H/T naked capitalism.